Odd identd behavior
From: Mike Owen (kyphros_at_gmail.com)
Date: Thu, 10 Nov 2005 17:39:50 -0800 To: email@example.com
While going through logs, and looking at mail server ident daemon
replies that don't fit the RFC-1413 standard, I noticed the following
string from a few servers:
"220 ..:: €lit€-Cr€w Rulez ::..."
Looks to me like this group has been compromising mail servers, and
then instead of taking them down, lets them continue running, although
with a slight modification. They probably siphon off a copy of all
email transiting their servers as well, although without access to any
of these servers, I can't tell.
Interesting to note, if you send 2 ident requests, the second one comes back as:
"220 ..:: €lit€-Cr€w Rulez ::....530 Not logged in..."
This leads me to believe this is the backdoor into these mail servers,
after all, if you're trying to hide a backdoor from port scans, or
dealing with stringent firewall rules, subverting an existing
listening process is a smart way to do it.
I have not notified the 0wned sites, mostly because I'm not really
sure what to do there. I can't email them, which means I have to
attempt to find a contact, and then call them. Then of course, the
person I manage to get a hold of needs to understand what I'm trying
to say, and I have to hope they don't then try and email someone
telling them that they have been compromised, thereby letting the
I'm curious as to whether anyone else has seen ident replies like this.